Krebs on Security

In-depth security news and investigation

Pro-Grade Point-of-Sale Skimmer

Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example — images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly.

This point-of-sale device was one of several found in an as-yet undisclosed merchant breach.

In October 2012, forensics experts with Trustwave Spiderlabs were called in to examine the handiwork of several Bluetooth based point-of-sale skimmers found at a major U.S. retailer. The skimmers described and pictured in this blog post were retrieved from a retail breach that has not yet been disclosed, said Jonathan Spruill, a security consultant at Trustwave.

Spruill said the card-skimming devices that had been added to the small point-of-sale machines was beyond anything he’d encountered in skimmer technology to date.

“The stuff we’ve been seeing lately is a leap forward in these types of crimes,” said Spruill, a former special agent with the U.S. Secret Service. “You hate to say you admire the work, but at some point you say, ‘Wow, that’s pretty clever.’ From a technical and hardware standpoint, this was really well thought-out.”

Spruill declined to name the breached merchant, and said it was unclear how long the devices had been in place prior to their discovery, or how they were introduced into the stores. But the incident is the latest in a string of breaches involving bricks-and-mortar merchants discovering compromised point-of-sale devices at their retail stores. Late last year, bookseller Barnes & Noble disclosed that it had found modified point-of-sale devices at 60 locations nationwide.

The picture below shows the card skimmer in more detail. The entire green square circuit board with the grey square heat shield and the blue element to the left are the brains of the device. The eight-legged black component in the upper right is the memory module that stored stolen credit and debit card and PIN data from unwitting store customers.

Beneath the large grey heat shield in the center of the circuit board are the chips that control the Bluetooth radio. That entire component is soldered to the base of the board. The blue and white wires leading from the skimming device connect the skimming module to the card reader on the point-of-sale device, while the group of eight orange wires that come out of the bottom connect directly to the device’s PIN pad.

The Bluetooth point-of-sale skimmer, up close.

The image below shows the eight orange wires from the skimmer soldered to the POS device. Spruill said the quality of the soldering job indicates this was not made by some kid in his mom’s basement.

“One of the reasons suggesting that the attacker was fairly accomplished is the quality of the solder done with those very small connections to the PIN pad,” he said.

A close-up showing the orange wires from the skimmer soldered to the PIN pad.

The reverse side of the skimmer circuit board is shown in the somewhat blurry picture below. Clockwise from the top are the yellow and white wires that connect the skimmer to the POS device’s power and ground, respectively. The six open holes running down the bottom right of the board can be used to program the micro controller (the big black chip in the center). The blue and white wires at seven o’clock connect the POS device’s PIN pad to a Magtek chip. Spruill said while Magtek is the technology that’s in virtually every card reader out there, the entire circuit board appears to have been custom made — and possibly mass-produced — to be used expressly for skimming POS devices.

“There is really no other function that this skimming device could have done,” he said. “I would imagine this was manufactured somewhere, but it’s not clear where. Based on the componentry, there is no other function that I could see this being used for. What other implementation would you use to capture magnetic stripe and PIN data and transfer it over Bluetooth?”

The backside of the Bluetooth skimming device.

Spruill said that beneath the access panel on the device were some SIM card holders, which could enable the device to be used to transmit data wirelessly via a GSM network to anywhere in the world. For whatever reason, whoever modified these point-of-sale devices chose to transmit the stolen card data via Bluetooth. The thieves who planted the skimmers could then periodically retrieve the stolen data simply by using a Bluetooth-enabled wireless phone or other device. Bluetooth devices can generally be accessed within 30 meters, but that range can be extended with special antennas, meaning the thieves could have retrieved the data either by shopping in the store, or potentially from inside of a car or van out in the store’s parking lot.

Card skimmers that transmit data are becoming increasingly common, particularly in skimming devices added to gas station pumps. But this skimmer included some extra technology that indicates its designers had taken precautions to prevent outsiders from being able to intercept or read the stolen card and PIN data: Spruill said the skimming device encrypted the stolen data both while stored on the device’s memory module and when it was to be transmitted wirelessly.

“In this case, the stolen data is encrypted, both at rest and when transmitted over Bluetooth,” Spruill said. “That is strange in my experience, because usually you will find it is stored in plain text or XORed” [a very simple cipher that can be trivially broken].

Trustwave Spiderlabs is still working on decrypting the data on the devices, which Spruill said uses a custom AES block cipher; AES, short for Advanced Encryption Standard, is an encryption scheme that has been adopted by the U.S. government and is now widely used worldwide. Complicating matters more, the skimmer maker set the micro controller’s “lock bit,” a hardware security mechanism that controls whether the code on the chip can be dumped off the chip or read, and prevents any additional writing to the chip.

Whether Trustwave can break the cipher and determine which card brands may have been impacted by the skimming attacks could affect the fines paid by the breached merchant, he said.

“We’ve got a lot smart people working on it, but at present it’s not easy to get around,” Spruill said. “There were no keys or algorithms that we could pull from the controller.”

Y

Point-of-sale (POS) skimmers — fraud devices made to siphon bank card and PIN data at the cash register — have grown in sophistication over the years: A few months back, this blog spotlighted a professionally made point-of-sale skimmer that involved some serious hacking inside the device. Today’s post examines a comparatively simple but effective POS skimmer that is little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards.

This entry was posted on Friday, February 1st, 2013 at 11:34 am and is filed under All About Skimmers.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

39 comments

“What other implementation would you use to capture magnetic stripe and PIN data and transfer it over Bluetooth?” Hand-held card readers used in restaurants by waitstaff to take people’s cc’s at their tables? I mean that could be one legit reason. Not sure if it is done though.

I could be wrong, and I’m sure PCI experts reading this will set me straight if I am, but I seriously doubt that it would be within the acceptable card security guidelines to be transmitting card and PIN data via Bluetooth.

I would say that the most common applications of bluetooth probably are when compared to a properly configured wifi. Supposedly the latest Bluetooth protocols provide better security than they have traditionally, but there’s certainly room for error in configuration of wifi also or old devices and/or the absence of wIDS features. We would hope that implementations regarding financial data follow best practices but …

I’m definitely no expert, but looking up the PCI DSS standard online, you do see Bluetooth included.

“Organizations that use wireless technology outside of their CDE must verify that all wireless networks (which include Wi-Fi and Bluetooth) are appropriately segmented from the CDE and that unauthorized wireless technology has not been introduced into the CDE.”

What’s curious to me is how/when the chip is soldered to the POS device. As noted in the article, the solder job doesn’t look to be the work of a smash and grabber or someone under a lot of stress of being caught in the store while they’re doing the work. Are these units introduced to the supply chain before they reach the retailer? Do employees send them out for treatment? If this was just at one location it could be a thief with good soldering skills but if its widespread and the soldering is consistent it would be very interesting …

It’s not like you can just “swap” the POS unit. From the looks of it on the photo you would pretty much need to build the entire device apart (note the screws for example), not something that can be done in two minutes. It really does look like these devices were manipulated somewhere within the supply chain or when being sent in for service – very different from ATM manipulation where the focus is on attaching the skimmer as fast as possible.

I’m certainly no expert, but a quick lookup of the PCI DSS standard online does show Bluetooth being included:

“Organizations that use wireless technology outside of their CDE must verify that all wireless networks (which include Wi-Fi and Bluetooth) are appropriately segmented from the CDE and that unauthorized wireless technology has not been introduced into the CDE.”

Yep. It is possible to securely transmit the data via bluetooth and still satisfy PCI requirements, as long as the data is appropriately encrypted (which it apparently has been in this case) and all the other guidelines are followed. It’s more common that a retailer would use a wireless LAN in most circumstances because of the better range and support. There definitely also needs to be periodic physical inspection audits of the swipe terminals and pin pads, just as there is a requirement that all switches and hubs be in locked cabinets. So too should they require tamper evident seals and gaskets on the hardware, which is evidently the vector of exploitation here.

What does PCI compliance state about notifying issuers about a breach? I know under bank privacy regulations there is a responsibility for prompt notification to regulators and other authorities. If this was a large breach at several merchant locations issuers should be notified so they can start mitigating the risks of compromised cards becuase they are on the hook for a majority of the losses. I realize the data is encrypted but at a minimum I would think card processors could identify the merchant and a potential list of compromised cards.

After reading previous pieces by Brian on card skimmers I have made it standard practise to pay in cash drawn from a known secure ATM. The thieves are getting more cleaver than those who design our systems it seems.
As Scotty said (Star Trek) ” the more they overtake the plumbing the easier it is to stop up the drains!

I am still trying to wrap my head around people being able to put these things in a brick-and-mortar place like B&N without detection. Can they modify one of those “pass pay” stations where you just wave your credit card at the device and it charges it? Or are only devices where you enter your PIN dangerous? I never use those things, but I know plenty of people who do, and half of them think I’m paranoid because I’m always preaching to them about this kind of stuff. I’m not going back to cash but Brian has made me (gratefully) super-alert around anything electronic.

One of my daily job functions is disputing fraudulent debit card transactions for our bank clients. The cusotmers never end up eating these charges, it is almost always the banks. I just got a signed receipt from a fraudulent transaction at a Wal Mart in Texas. The reciept showed that 6 different cards were denied before the seventh one was approved. At what point do we make merchants liable for gross negligence when accepting debit and credit cards.

Sadly, that’s not an uncommon sight. People have a half dozen credit cards, but haven’t paid their bills and are desperate to find one that hasn’t been closed.

The cashier usually isn’t told the difference between a “denied – NSF” and a “denied – stolen card” situation. It’s certainly not the cashier’s job to confront or accuse a customer.

The processor is in a position to see multiple “decline-stolen” responses on a single transaction, and their fraud detection logic could flag further responses as “suspicious”, but there’s only so much they can do.

Who cleans the floors and empties the wastebaskets after hours at the targeted merchants? Is that service outsourced? The same Eastern Europeans using fake IDs to create bank accounts to act as money mules could easily infiltrate a cleaning service to get after-hours access to checkout devices that need to be cleaned after normal use. If nothing is missing when they leave, they’ll likely get away with it long enough to leave the U.S.

Another use for this sort of thing might be for engineering and maintenance. No matter, assuming Silicon Valley has a high population of people who possess High Relaibility Sodering training and experience, it wouldn’t be so hard for a small cadre of like minded techies to put these together n bulk. On a weekend with proper hardware; training and detailed schematics, a team of 5 could make 20 to 30 in a weekend.

To me, it’s clear that whomever is doing this is an insider with knowledge, opportuity, and physcial access to these devices. In the end this will most likely be a employee of a PoS supplier/maintainer, and his 22 to 28 year old friends wasting their talents on this.

I have seen this technology in 2005 already. Yes encrypted bluetooth. Its been mostly Eastern European Gangs from Romania/Moldovia that were caught but also Chinese and others must be involved. One particular case I will never forget: infected British POS which activated themselves ONLY when gold or platinum cards were inserted, sent the data via SMS to a cellphone located in Lahore Pakistan. The POS were obviously “infected” in the factory in China where all these devices come from these days. I just wait for the day when a waiter/cashier tells me ” sorry no cash”.
That day may come sooner than we all dream.
Until then I pay with cash as much as possible.

There are fab shops in China and other places that will manufacture a one off run of a couple of hundred boards based on an emailed CAM design for $50 a piece (well, maybe not considering the components on that board – but not far off).

As to the rather patronising line, “was not made by some kid in his mom’s basement”: it takes 2 or 3 years of regular soldering to get that level of quality – my friends and I would not have considered it special even at secondary school. The design, on the other hand, would have been beyond us. These days, with many websites dedicated to building boards, I think we could have managed it. Starting with Arduino based projects and slowly making them “rawer” for the challenge / elitism strikes me as a powerful way of climbing learning curve.

These POS should be sealed and break when opened! The supplier is @ fault here or the devices came infected from the factory (which I doubt looking @ the pix). Since many years the new POS have special sealing, sort of faraday cages which circumvent opening and soldering additional boards to the devices. The whole CC fraud business relies on the insurance you, the customers pay! The card suppliers and payment services are insured and YOU pay it.

The SIM slots in the devices are NOT SIM slots. They are for SAMs (Security Access Modules), which are used for running different crypto and applications. This devices does not have GSM comms.

I’d be interested to know how it is known that it is encrypted with AES. Encrypted, yes. Not XOR’d, sure. But definitely AES? That would require some detailed analysis. Do-able, in certain ways, but not trivial.

I’m interested in the manufacturing component. Is it easy to create a custom size circuit board that uses bluetooth wireless and stores data? I don’t think it is. It requires access to some unique skills, tools, and supplies, correct?

I know this isn’t super high tech weaponry we’re talking about here, but I’ve only met one person in my lifetime that has the knowledge and access to do this type of thing – let alone mass produce it. My point is that it’s not very common. So doesn’t this narrow down who and where this could come from?

For example, the number 120327 on the board, or the information on the chips, can’t some of that be traced back to the original manufactures? Afterall, we’re assuming that the level of sophistication means this wasn’t created by “some kid in his mother’s basement” right?

The CPU on the back side of the board has a lot of unused pins, which makes me think the builder purchased whatever chip he could get for dirt cheap. Perhaps they were old phone CPUs desoldered and recovered from recycled electronics in Shenzhen (which are really cheap, and cash walks.) Impossible to tell from the out of focus pictures of the chips.

It’s not that difficult to create a decent quality circuit board at home. They can be produced with a few freely available software tools, a laser printer, and some stuff from Radio Shack. Any recent E.E. graduate could do it, as well as a lot of ordinary hobbyists.

Your guess is that the physical evidence and craftsmanship being so common makes it untraceable?

I guess I just look at it like this:

Say I learn how to cut and sodder my own board, add a blue tooth component, add custom data encryption, design the board to fit in retail machines, and then wirelessly collect the data and sell it. That’s a lot to learn…I’d put my money on this guy (or this team) knowing this stuff over time. Meaning he had or has a job doing some of this for a living legitimately. Otherwise, it might really be a kid in a basement.

I guess when I think about putting myself in the shoes of this person I’d be more fearful of the physical evidence. Forget about finger prints. I’d worry that someone in the industry would recognize my craftsmanship, my training, my methods.

The parts, tools, and knowledge don’t seem all that common to me. For example, although it’s possible to convert your car to run on diesel fuel, who does that? I don’t know anyone that does that. But if a crime were committed using a car with a diesel fueled engine, I’ll bet most people would immediately think of their goofy 3rd cousin that they know does that sort of thing and start to put two and two together.

I didn’t say it’s untraceable, but the skills are far more common that you imagine. Like I said, every EE coming out of school could do it. I counted 50 EE graduates in my engineering school’s commencement bulletin in 2010 – let’s say that’s 5,000 EE’s per year across the nation, perhaps 50,000 well-trained folks over the last 10 years.

I could probably do it if I took a few shots at it, and I’m just a software engineer who dabbles in electronics from time to time. (I likely would have been more qualified back when I was in high school, but SMT technology didn’t exist then.) I also know at least a dozen fellow nerds at work who would be at least up to the challenge. Add in thousands of ham radio operators who’ve been building circuits their whole lives, and it wouldn’t surprise me at all to learn that 100,000 people in this country would be capable of creating these devices if they had to.

As far as fear of “recognizing the craftsmanship” goes, the software to design these boards is cheap and common, and every board they crank out out looks pretty much like every other board. It’s all drag and drop to grid lines – mad skills are not required. It also wouldn’t surprise me to learn if the board Brian pictured was based on a reference schematic for the chip. That’s a part of why I’d feel confident that a hobbyist could build these – all the necessary info is out there.

If the criminal wanted, they could also outsource the board manufacture to a shop. There are on line stores where you simply upload your Eagle files, type in your credit card number, and wait for the box to arrive in the mail. With no components or schematics specified or needed, there is no way for the board makers to know if a board is destined to be used for good or evil. But a custom manufactured board could leave big footprints right back to the criminals, and I’m guessing they wouldn’t be that bold. There aren’t very many online shops, and all of them would likely cooperate with the authorities.

I was somewhat surprised that the chip didn’t appear to be an Atmega CPU, as there are literally a million Atmega based developer boards out in the world today. They are the the most accessible, friendliest development platforms around, and can be had at Radio Shack for $30. You can head to http://arduino.cc to learn more about this phenomenon.

The excess of unused pins on the CPU leads me to think it was an amateur who designed the circuit instead of a seasoned professional. Wasting that much capability makes me think they are building it based on the one chip they know (perhaps studied in school), instead of selecting the right sized chip for the job.

As far as the criminal organizations go, we’ve caught professional theft rings who distributed “shoplifting lists” to low-level junkies who do the actual stealing (stolen razor blades go for $8/pack, stolen Tylenol goes for $3/bottle, etc.) Organized gangs already know exactly how to spread their risk to avoid capture at the higher levels, and they know how to get desperate people to steal things like card readers off of countertops, or to walk into a store and push a few buttons on a special phone.

It shouldn’t take too much imagination to picture one of these many thousands of capable electronics amateurs hooking up with some of these professional criminals.

You’re right. Looking closer at the board, and having a printed circuit board expert look at it, we could see that it was indeed commercially manufactured.

The thing I finally saw that made me realize that it was commercial were the plated “via holes”. A homemade board would most likely have used soldered jumpers to connect the top and bottom layers; plating would be a difficult and unnecessary expense for a hobbyist already willing to hand-assemble these circuits.

The expert was from one of the many online services that will collect requests for small custom boards from various private people, combine them all onto a single 10″x15″ production board, then they send that request to a Chinese PCB factory. It takes from 10 to 20 days, and the boards that come back are of commercial quality. Based on size, these would cost about $10-$15 each. He noted this board was “immersion gold” plated (his shop only deals in “immersion silver” plated boards, so he knew it wasn’t his shop that the thieves used.)

So yeah, someone somewhere placed an order for these boards, and evidence of that order is likely to be lying around on someone’s servers. But just as there are many custom circuit board services here in America, I also saw 125 PCB factories listed in a Chinese manufacturing directory, and there are an unknown number of others around the world (there are many factories right here in the USA.) Tracking down a small circuit like this could be a lot of work for an investigator.

They once delivered us terminals that had the tamper detectors completely disabled. They could have been opened while being powered up – and they did nothing with this. You could have attached probes to the live terminal.

The fact that the data was encrypted in storage, and the ‘lock bit’ was set, leads me to believe that the builder of these devices did so not to hide the card data from the authorities, but to ensure he remains the kingpin and in full control of the profits.

I’m guessing the builder of the circuit is also the guy who implants the bugs. He started by having a talented thief steal a few working PIN pads from a retailer. He designed, built, and added the bugs to them. He then sent his co-conspirator back out to the original stores to swap the existing devices for the bugged ones, giving him a pool of clean devices with which to expand his scheme.

He probably now sends out “mules” to do the dirty work of swapping devices to infect new stores, as well as visiting the existing stores every few days to download the latest data. He probably pays them on a per card basis. But the mules can’t be trusted to not make their own copies of the data and sell or use it. It would be bad if they did, as they’d be much more likely to get caught and blow the scheme.

So the builder is the only guy with the secret decryption key. He pays the mules for the encrypted data, then he markets the track data on a darknet and collects the profits.